A practical look at how teams can use VellumGuard to add post-quantum application-layer encryption to patient-adjacent and research data — without rebuilding existing systems from scratch.
Beta caveat. VellumGuard is not currently HIPAA compliant. No Business Associate Agreement (BAA) is currently available. Do not process real PHI through VellumGuard without a separate written data-handling agreement. Use test or synthetic data during beta integration.
Healthcare and research teams typically store sensitive data in databases and APIs behind access controls. Those controls matter. But they protect the storage layer, not the data itself. Application-layer encryption adds a second line: even if database access is compromised, ciphertext without the right keys is unreadable.
The second problem is time. Clinical records, genomic data, and longitudinal research results stay sensitive for decades. The cryptographic assumptions behind RSA and ECC — which most software uses today — may not hold against a sufficiently capable quantum computer. NIST finalized post-quantum cryptography standards in 2024 specifically because this risk is real enough to plan around now.
"Harvest now, decrypt later" is the specific threat: adversaries can collect encrypted records today and decrypt them when better hardware arrives. For data that needs to stay confidential through 2035 and beyond, the encryption applied today determines the protection you have then.
A health-tech team builds an integration layer for a clinical notes product. Patient notes and intake forms are encrypted at the application layer before storage. Each clinical provider gets a workspace with isolated key material. Audit events record every encryption and decryption operation. When a provider offboards, their workspace key is rotated and old identity keys are rewrapped.
The database contains only ciphertext. A breach of the database or its cloud storage yields unreadable data — an attacker would also need the private key material, which is managed separately in the VellumGuard KMS backed by Google Cloud KMS.
VellumGuard handles one specific thing: application-layer encryption and key management. It is not a HIPAA compliance program. It does not replace:
VellumGuard may strengthen application-layer data protection as one component of a broader security program. It does not certify or satisfy HIPAA requirements on its own.
If you are building a healthcare or research application and want to test post-quantum encryption in a controlled beta environment, apply for design partner access. Beta is free unless otherwise agreed in writing. No charges without a written agreement before general availability.
Questions? Email beta@vellumguard.com or browse other field guides.